1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Time-Aware Test Suite Prioritization Kristen R. Walcott, Mary Lou Soffa University of Virginia International Symposium on Software Testing and Analysis.
ABCD: Eliminating Array-Bounds Checks on Demand Rastislav Bodík Rajiv Gupta Vivek Sarkar U of Wisconsin U of Arizona IBM TJ Watson recent experiments.
Some Improvements for More Precise Model Checking Zhi Zhang State Key Laboratory for Novel Software Technology Nanjing University, China.
1 Refining Buffer Overflow Detection via Demand-Driven Path-Sensitive Analysis Wei Le and Mary Lou Soffa University of Virginia sotesty.cs.virginia.edu.
Segmented Symbolic Analysis Wei Le Rochester Institute of Technology.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Program analysis Mooly Sagiv html://
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Program analysis Mooly Sagiv html://
Program Analysis for Security Suhabe Bugrara Stanford University.
Overview of program analysis Mooly Sagiv html://
Load-Reuse Analysis design and evaluation Rastislav Bodík Rajiv Gupta Mary Lou Soffa.
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Symbolic Path Simulation in Path-Sensitive Dataflow Analysis Hari Hampapuram Jason Yue Yang Manuvir Das Center for Software Excellence (CSE) Microsoft.
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.
Static Analysis for Security Amir Bazine Per Rehnberg.
Precision Going back to constant prop, in what cases would we lose precision?
Alleviating False Alarm Problem of Static Buffer Overflow Analysis Youil Kim
Address Space Layout Permutation
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Scalable Defect Detection Manuvir Das, Zhe Yang, Daniel Wang Center for Software Excellence Microsoft Corporation.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Computer Security and Penetration Testing
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
ABCD: Eliminating Array-Bounds Checks on Demand Rastislav Bodík Rajiv Gupta Vivek Sarkar U of Wisconsin U of Arizona IBM TJ Watson recent experiments.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
QA and Testing. QA Activity Processes monitoring Standards compliance monitoring Software testing Infrastructure testing Documentation testing Usability.
1 A Plethora of Paths Eric Larson May 18, 2009 Seattle University.
Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
PROGRAMMING LANGUAGES: PROLOG, CLOJURE, F# Jared Wheeler.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.
Generating Analyses for Detecting Faults in Path Segments Wei Le* and Mary Lou Soffa University of Virginia *currently with Rochester Institute of Technology.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Pruning Dynamic Slices With Confidence Original by: Xiangyu Zhang Neelam Gupta Rajiv Gupta The University of Arizona Presented by: David Carrillo.
Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.
B UFFER O VERFLOW V ULNERABILITIES Prudhviraj Karumanchi Vijay Venugopalan Vijaya Raghavan CPSC 620 Presentation 12/3/2009.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Tool Support for Testing Classify different types of test tools according to their purpose Explain the benefits of using test tools.
Pruning Analysis for the Position Specific Posterior Lattices for Spoken Document Search Jorge Silva University of Southern California Ciprian Chelba and.
Analyzing Open Source Code February, 2009 David Maxwell Open Source Strategist For Southern California Linux Expo.
Overflows Mark Shtern.
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Path-Based Fault Correlations
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code
Chapter 8 – Software Testing
High Coverage Detection of Input-Related Security Faults
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Wei Le and Mary Lou Soffa University of Virginia
AdaCore Technologies for Cyber Security
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
SOFTWARE ENGINEERING INSTITUTE
Presentation transcript:

1 Marple: A Demand-Driven Path- Sensitive Buffer Overflow Detector Wei Le and Mary Lou Soffa University of Virginia

22 Motivation: Buffer Overflow 20 years since exploited by Morris worm Always a popular attack vector – E.g., 482 new exploitable vulnerabilities 204 buffer overflows reported by SecuriTeam in 2007 Remain due to legacy code and the fact that many companies still heavily depend on C and C++

33 Challenge : Reduce attacks Detect and report where vulnerabilities occur Determine cause and remove it Be automatic and usable with manageable manual effort Scale to large software

4 A framework, Marple, for detecting buffer overflow: As precise as possible Helpful for understanding and removing overflow Scalable Key idea: Identify paths that lead to buffer overflow Approach: – Interprocedual path-sensitive for precision and help diagnosis – Demand-driven for scalability 4 Our Goals and Overall Approach

5 Value of paths and paths classification Demand-driven analysis Vulnerability model Framework summary Experiments Conclusions 5 Outline of the talk

6 i = strlen (a→q_user) i ≥ sizeof (buf0) buf = xalloc (i+1) buf = buf0 strcpy(buf, a→q_user) yesno Paths-Insensitive: Detecting an Overflow buf = xalloc (i+1) V buf0 i ≥ sizeof (buf0) i < sizeof (buf0)

7 i = strlen (a→q_user) i ≥ sizeof (buf0) buf = xalloc (i+1) buf = buf0 strcpy(buf, a→q_user) yesno Paths-Sensitive: Detecting an Overflow i ≥ sizeof (buf0) buf = xalloc (i+1) i < sizeof (buf0) buf = buf0

8 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn wu-ftpd realpath.c Paths-Insensitive: Reporting an Overflow

9 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn Safe Overflow Infeasible wu-ftpd realpath.c Paths-Sensitive: Reporting an Overflow

10 Infeasible: no input can exercise the path Safe: no input can overflow the buffer Vulnerable: users can write any content to the buffer Overflow-user-independent: the buffer content is statically determinable Don’t-know: the buffer status cannot be judged statically 10 Five Types of Paths

11 Demand-Driven Analysis for Buffer Overflow Two Steps: – Find all potentially overflow statements in the program – Examine paths from a potentially overflow statement to the entry to see if an overflow can occur - backwards Benefits: scalability and natural parallelism

12 Vulnerability Model 5-tuple (POS, δ, UPS, γ, r), where POS and UPS are finite sets, and POS: set of potentially overflow statements δ: mapping POS->Q, and Q is set of buffer queries UPS: set of statements where queries are updated r : mapping UPS->E, where E is set of equations R: general security policy to judge the termination of the search

13 Partial Vulnerability Model for Buffer Overflow POS/PUSQueryEquations strcpy(a,b)Size(a) > Len(b)Len’(a) = Len(b) strcat(a,b)Size(a) > Len(a) + Len(b)Len’(a) = Len(b) + Len(a) strncpy(a,b,n)Size(a) > Min(Len(b), n)(Len’(a) = ∞ && Len(b) >= n) || (Len’(a) = Len(b) &&Len(b) < n) a[i] = ’t’Size(a) > iLen’(a) = ∞ Security policy - after a write to the buffer, the declared buffer size must be no less than the length of the string stored in the buffer Answers - infeasible, safe, vulnerable, overflow-input-independent, and don’t-know

14 n rootd = 1rootd = 0 strlen(wbuf)+rootd+1+ strlen(resolved) > LEN rootd == 0 strcat(resolved, “/”) strcat(resolved, wbuf) exit y n y yn Demand-Driven Analysis: An Example …… char resolved [LEN ] Q (s+1<l, f) Q (LEN-rootd<l, f) Solved Q (s+1<l, f) Infeasible Q (s<l, f) s: strlen(resolved)+strlen(wbuf) l: sizeof(resolved) f: wbuf Q (LEN<l, f)

15 POS Queries Equations Policy Detect Infeasible Paths Program The Vulnerability Model no yes Source Raise Queries Propagate Queries Update Queries Evaluate Queries Propagate Answers Assist Diagnosis The Demand-Driven Path-Sensitive Analyzer Path Classification Root Cause Information Marple Framework

16 Entry POS User Scenario A

17 Entry POS Vulnerable Overflow User Independent User Scenario

18 Entry POS Vulnerable Overflow User Independent User Scenario

19 Entry POS Root Cause Vulnerable Overflow User Independent User Scenario

20 Goals – More precisely find vulnerabilities – False positives in vulnerable set – Scalable – Help in diagnosis – Comparison with other tools Experimental Setup – Microsoft Phoenix, Disolver – BugBench, Buffer Overflow Benchmark, MechCommander2(570.9K) 20 Experiments

21 Results: Detection BenchmarkPOSDetected Bugs ReportedNew polymorph1534 ncompress38111 gzip3819 bc24533 wu-ftp1340 sendmail2122 BIND481/00 MechComm ander /028/1 Detect 14 out of 16 documented overflow -1 don’t-know : library call - 1 missing: function pointers Report 57 new overflows same path of different buffers Generate 1 false positive due to integer range analysis

22 Results: Path-Sensitivity BenchmarkPOSPath Prioritization VOU polymorph15612 ncompress gzip bc wu-ftp13314 sendmail21316 BIND MechComm ander All types of paths occur 108 don’t knows from bc 43 complex pointers 28 recursive procedures 15 loops 12 non-linear operations 8 library calls

23 Results: Root Cause BenchmarkPOS Root Cause Info StmtAve. No Polymorph ncompress gzip bc wu-ftp sendmail BIND48N/A MechComm ander Highlight statements that update query during analysis as r oot cause information Average highlighted less than 10 Path-sensitive root cause exists

24 Marple with static tools Used Buffer Overflow Benchmark – 14 programs “Bad” version – several overflows marked “Good” version – overflows fixed Static Tools: Archer, Boon, UNO, Splint and Polyspace (commercial tool) Criteria: probability of detection and probability of false alarms

25 P(f) – probability of false alarms P(d) – Prob of detection BOON Splint (0.43,0.57) PolySpace (0.5,0.87) ARCHER, UNO ROC Curve Marple-B (0.42, 0.88) Marple-A (0.04, 0.49) Ideal Tool (0,1) Marple A - using only Vulnerable/overflow Marple B – Marple A + Don’t know Zitser, Lippmann And Leek, FSE Marple with static tools

26 Performance Visited: 43% of nodes; 52% of procedures Memory – 2.5GB Time – MechComander2 (575K lines) – 35.4 minutes – Archer – 121 lines/sec – IPSSA – 155 lines/sec – Marple – 254 lines/sec

27 Static Detection for Buffer Overflow ARCHER [03xie] BOON [00wagner] ESPx [06hackett] Prefast [ms] Prefix [00bush] Splint [96evans] Path-Sensitive Analysis for Defects ARCHER [03xie] ESPx [06hackett] ESP [02das] IPSSA [03livshits] MOPS [02check] Prefix [00bush] Demand-Driven Approach − A general framework [96Duesterwald] − Application for dataflow computation [96Duesterwald], infeasible detection [97bodik], memory leak [06Orlovich], postmortem analysis [04Manevich] Related Work

28 An interprocedual demand-driven path-sensitive buffer overflow detection for large software A categorization of paths to assist diagnosis The identification of vulnerable path segments and the statements relevant to the root cause Our results demonstrate that Marple is scalable and can report buffer overflow with low false positive rates and rich diagnosis information 28 Conclusions

29 Thank you and Questions?